Evolutionary Computation Techniques for Constructing SAT-based - PowerPoint PPT Presentation

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru ITMO University, St. Petersburg, Russia ISDCT SB RAS, Irkutsk, Russia

Cryptanalysis • There are a lot of ways to encode and to decode information • HTTPS, mobile traffic … • man in the middle • Algebraic cryptanalysis is a way of analyzing and breaking ciphers • Type of attacks: • Brute-force attack • Guess-and-determine attack 2

Stream ciphers and cryptanalysis Cipher A5/1 – used in 2G protocol f : {0,1} 64 → {0,1} 128 f ( x ) = y b 1 A Research question : how b 2 B practically hard it is to decrypt b 3 some encrypted text? C fast b 1 , b 2 , b 3 – clocking bits original text encrypted text X = X A ∪ X B ∪ X C NP-hard X = { x 1 , x 2 , …, x 64 } Y = { y 1 , y 2 , …, y 128 } 3

SAT and SAT-solvers • Boolean SATisfiability – first known NP-complete problem • A dozen of applicable SAT-solvers • minisat, lingeling, ROKK … • SAT, UNSAT • Annular competitions in solving SAT! ⇓ good idea to translate hard problem to SAT 4

Encode to SAT using Transalg* Cipher A5/1 Transalg program SAT-formula b 1 A b 2 B manually automatically ⇒ ⇒ b 3 C b 1 , b 2 , b 3 – clocking bits X = X A ∪ X B ∪ X C X = { x 1 , x 2 , …, x 64 } Y = { y 1 , y 2 , …, y 128 } … … *Transalg: [Otpuschennikov, I., Semenov, A., Gribanova, I., Zaikin, O., Kochemazov, S.: Encoding Cryptographic Functions to SAT Using 5 TRANSALG System. In: ECAI 2016. FAIA, vol. 285, pp. 1594–1595 (2016)]

Example of breaking for Trivium 64 CPU: AMD Opteron 6276 @ 2.3 GHz x32 Timelimit: 7 days PLingeling Treengeling Guess-and-determine attack task 1 interrupted interrupted 2d 6h task 2 interrupted 3d 2h 3d 19h task 3 interrupted 4d 10h 15h task 4 interrupted interrupted 1d 21h task 5 interrupted interrupted 4d 3h 6

2. Guess-and-determine attacks 7

Guess-and-Determine. Backdoor B = { x 1 , x 2 , x 3 , x 4 , x 5 , x 9 , x 12 , x 16 , x 19 , x 20 , x 21 , x 22 , x 23 , x 24 , x 25 , x 27 , x 28 , x 30 , x 36 , x 41 , x 42 , x 43 , x 47 , x 48 , x 49 , x 50 , x 52 , x 60 } 8

Guess-and-Determine. Guess B = { x 1 , x 2 , x 3 , x 4 , x 5 , x 9 , x 12 , x 16 , x 19 , x 20 , x 21 , x 22 , x 23 , x 24 , x 25 , x 27 , x 28 , x 30 , x 36 , x 41 , x 42 , x 43 , x 47 , x 48 , x 49 , x 50 , x 52 , x 60 } 9

Guess-and-Determine. Determine ⇒ Result: UNSAT solver. solve Time: 1.243 c 10

Guess-and-Determine. Definition % & ! τ " ≪ ( )*+,-./*0- , "#$ τ 1 = 1.243 c where 1 = |4| 11

How to construct a efficient backdoor? 12

Backdoor-based Decomposition Key stream length s = |B| – power of backdoor set 13

Monte-Carlo Sampling 14

Evaluating If the task is solved in time T, then ξ = 1 , else ξ = 0 Fitness function Estimation of breaking time = Fitness value Estimation technics: [Semenov, A., Zaikin, O., Otpuschennikov, I., Kochemazov, S., Ignatiev, A.: On Cryptographic Attacks Using Backdoors for SAT. In: Proc. of AAAI 2018. pp. 6641–6648 (2018)] 15

Intermediate sum-up • Analyzing stream cyphers is a hard problem • We can translate the attack to SAT • We can speedup the SAT-based attack using backdoor ⇓ • Selecting the efficient backdoor is a magic hard problem • But there is a way to estimate the Estimation of attack time for a given backdoor breaking time • Where are evolutionary algorithms?! 16

3. Applying EA to construct an efficient backdoor 17

Metaheuristic Algorithms Applied to us We apply Tabu Search* Evolutionary Computation Simulated Annealing Individual: bit vector, which presents a set of guessed bits B = { x 1 , x 2 , x 3 , x 4 , x 5 , x 9 , x 12 , x 16 , x 19 , x 20 , x 21 , x 22 , x 23 , x 24 , x 25 , x 27 , x 28 , x 30 , x 36 , x 41 , x 42 , x 43 , x 47 , x 48 , x 49 , x 50 , x 52 , x 60 } ⇓ *Tabu Search Appling: [Semenov, A., Zaikin, O.: Algorithm for Finding Partitionings of Hard Variants of Boolean Satisfiability Problem with 18 Application to Inversion of Some Cryptographic Functions. SpringerPlus 5(1), 554 (2016)]

Two Phases 19

Adaptation Strategy • Algorithm starts with Monte- Carlo sample size M = 10 Sample size Estimation of breaking time • M is gradually increases to 1000 with the decrease of the fitness value Evolutionary algorithm iteration 20

EA (1+1) example. Trivium 64 cipher • standard bit mutation • stagnation limit = 300 • wall-time – 12 hours 21

GA (Elitism) example. Trivium 64 cipher • population size N = 10 • standard bit mutation • uniform crossover with probability p = 0.2 • wall-time – 12 hours 22

Experimental results Tabu Search (1+1)-EA GA |B| Attack time (s) |B| Attack time (s) |B| Attack time (s) 17 4.30e+07 21 3.19e+07 22 5.36+07 Trivium-Toy 64/75 Trivium-Toy 96/100 34 3.14e+12 33 1.28e+13 40 2.09+12 40 4.29e+12 32 2.60e+12 39 1.49+12 Bivium 177/200 8 5601.33 9 5604.8 8 6155.19 ASG 72/76 14 3.95e+06 13 6.76e+06 16 3.72e+06 ASG 96/112 47 1.14e+16 47 2.27e+18 44 2.84e+17 ASG 192/200 23

Conclusion • We used (1+1)-EA and GA to construct SAT-based guess-and-determine attacks on cryptographic ciphers. • We proposed a sample size adaptation strategy to increase the number of individuals that the algorithm processes during a fixed time budget. • Backdoors have been found, some of them are better than those found earlier, but estimation of breaking time is still very long. • Another paper accepted to GECCO’19, see you there :) • Supposed by the Russian Science Foundation (project No 18-71-00150) 24

Thank you for attention! Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru instagram.com/itmo.ctlab 25